subject:"\[tor\-bugs\] #21418 \[Applications\/Tor Browser\]\: New Tor Browser http response header, for high security websites"

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

2017-02-10 Thread Tor Bug Tracker & Wiki

#21418: New Tor Browser http response header, for high security websites
--+--
 Reporter:  micahlee  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by micahlee):

 Tom, that's a very good point about how after the attacker hacks a web
 server they can change the response headers.

 It seems like, to accomplish this for SecureDrop servers, Tor Browser
 would have to bundle some sort of Tor-High-Security preload list of
 domains, similar to the HSTS preload list. And, of course, start
 maintaining that list.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

2017-02-08 Thread Tor Bug Tracker & Wiki

#21418: New Tor Browser http response header, for high security websites
--+--
 Reporter:  micahlee  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by tom):

 Is a header the right choice for this? On the surface, I kind of like the
 ability for a website to opt-in to stricter security controls but the
 threat model is odd.

 If it's a HTTP Header that applies per-request, the attacker has hacked
 the server or the network, but not completely otherwise they could remove
 or disable the header.

 If it's some sort of persistent mechanism (for example: a HTTP Header that
 gets remembered with max-age) then we're presuming the HTTP Server is
 trustable at one point in time and then gets compromised later.

 That second one seems a lot more reasonable to me than just a per-response
 header.

 It does; however, introduce the state problem - you don't actually want to
 remember state in Tor Browser so we would have to solve that problem.



 I would note that this really applies more for the other features of the
 Tor Browser security slider than Javascript. You can effectively disable
 javascript entirely using Content Security Policy with _is_ a per-response
 header that Tor Browser already supports.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

2017-02-08 Thread Tor Bug Tracker & Wiki

#21418: New Tor Browser http response header, for high security websites
--+--
 Reporter:  micahlee  |  Owner:  tbb-team
 Type:  enhancement   | Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by micahlee):

 * type:  defect => enhancement


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

2017-02-08 Thread Tor Bug Tracker & Wiki

#21418: New Tor Browser http response header, for high security websites
--+--
 Reporter:  micahlee  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by mcs):

 * cc: brade, mcs (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

2017-02-08 Thread Tor Bug Tracker & Wiki

#21418: New Tor Browser http response header, for high security websites
--+--
 Reporter:  micahlee  |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by micahlee):

 * owner:   => tbb-team
 * component:  - Select a component => Applications/Tor Browser


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

Re: [tor-bugs] #21418 [Applications/Tor Browser]: New Tor Browser http response header, for high security websites

5 matches

Site Navigation

Mail list logo

Footer information